Sponsored by..

Monday, 8 June 2015

Malware spam: "Bank payment" / "sarah@hairandhealth.co.uk"

This fake financial spam does not come from SBP Hair and Health but is a simple forgery with a malicious attachment.
From: sarah@hairandhealth.co.uk [mailto:sarah@hairandhealth.co.uk]
Sent: Monday, June 08, 2015 10:10 AM
Subject: Bank payment

Dear customer

Please find attached a bank payment for £3083.10 dated 10th June 2015 to pay invoice 1757.  With thanks.

Kind regards

Sarah
Accounts
Attached is a file Bank payment 100615.pdf [VT 2/57] which appears to drop a Word document with a malicious macro. Although there are probably several versions of this attachment, according to the Hybrid Analysis report it downloads a component from:

192.186.217.68/~banobatwo/15/10.exe

This is saved as %TEMP%\biksampc.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] indicate network traffic to the following IPs:

146.185.128.226 (Digital Ocean, Netherlands)
31.186.99.250 (Selectel, Russia)
176.99.6.10 (Global Telecommunications Ltd, Russia)
203.151.94.120 (Internet Thailand Company Limited, Thailand)
185.12.95.40 (RuWeb, Russia)

The Malwr report indicates that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
146.185.128.226
31.186.99.250
176.99.6.10
203.151.94.120
185.12.95.40

MD5s:
48d496afc9c2c123e1ab0c72822a7975
6cbd6126b5761efffbe10dafaa7a4bde
2e499cacb5b3a396a3b2a08bd0f4ce1e

Friday, 5 June 2015

Some domains belonging to Michael Price of BizSummits

Here are some domains belonging to Michael Price of BizSummits. Just saying.

hiringspring.net
logistics-summit.com
supplychainsummit.net
acr-clnt1.com
opendetail.com
itsecurityshow.com
lawpathfinder.net
esquirecareers.net
checkdetailz.com
bayareatechsummit.com
hospital-growthsummit.org
theproductdevsummit.net
powerbizdev.com
prexecutives.org
goldcoastsummit.com
hartfordsummit.org
tampatechsummit.com
jacksonvillesummit.com
miamisummit.org
atlantatechsummit.com
knoxvillesummit.org
nashvillesummit.org
sandiegotechsummit.com
orangecountysummit.com
lasummit.org
portlandtechsummit.com
seattletechsummit.com
denversummit.org
phoenixsummit.org
nytechsummit.org
providencesummit.org
bostonsummit.org
worcestersummit.org
portland-summit.com
cfobestpracticesroundtable.com
orlandosummit.com
cfo-summit.com
the-trainingsummit.net
thefinance-list.com
procurementsummits.org
procurementleadership.org
biz-summits.com
customerservicesociety.org
risk-summit.net
backupsite.biz
alturls.net
serveurls.net
servesites.net
arja.org

Malware spam: "General Election 2015 Invoices" / "SIMSSL@st-ives.co.uk"

This unusually-themed spam leads to malware. It does not come from St Ives but is instead a simple forgery.

From: SIMSSL@st-ives.co.uk [mailto:SIMSSL@st-ives.co.uk]
Sent: Friday, June 05, 2015 9:53 AM
Subject: General Election 2015 Invoices

Dear Sir/Madam

Please find attached your invoice 62812 for GE2015

Please could payment be quoted with your constituency name/Invoice numbers

Our Bank Details are:
St Ives Management Services Limited
HSBC
Sort Code: 40-04-24
Account Number: 71419501
Account Name: St Ives Management Services Limited

Remittance advices should be emailed to simsAR@st-ives.co.uk

If paying by cheque, please kindly remit to the address below and not to 1 Tudor Street:

St Ives Management Services Limited
c/o Branded3
2nd Floor, 2180 Century Way
Thorpe Park
Leeds
LS 8ZB

If you have already paid by credit card then there is no need for you to make payment again.

For payment queries please contact Steven Wilde 0113 306 6966

For invoice queries please contact Emily Villiers 0207 902 6449

Kind Regards
SIMS Sales Ledger
This email is intended for the addressee only. It may be confidential and legally privileged. Unauthorised use, copying or disclosure of any of it may be unlawful. St. Ives plc does not accept liability for changes made to this message after it was sent. Any opinions expressed in this email do not necessarily reflect the opinions of St. Ives plc. If you have received this communication in error, please return the message to the sender by replying to it and delete the email immediately.
Whilst St. Ives plc has taken steps to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that this email and its attachments do not adversely affect their system or data. St. Ives plc accepts no responsibility in this regard and the recipient should carry out such virus and other checks, as is considered appropriate.
St. Ives plc reserves the right to read any e-mail or attachment entering or leaving its systems from any source without prior notice.
St. Ives plc registered in England & Wales no. 1552113
Registered office: One Tudor Street, London EC4Y 0AH 


I have only seen one sample so far, with a Word document 1445942147T0.doc attached containing this macro which tries to download a malicious executable from g6000424.ferozo[.]com/25/10.exe but this fails with a timeout. However, the payload will be the Dridex banking trojan.

UPDATE:
I was informed of another download location at elkettasandassociates[.]com/25/10.exe which downloads a malicious binary with a detection rate of 5/57.

Automated analysis tools [1] [2] [3] show network traffic to the following IPs:

203.151.94.120 (Internet Thailand Company Limited, Thailand)
31.186.99.250 (Selectel, Russia)
146.185.128.226 (Digital Ocean, Netherlands)
185.12.95.40 (RuWeb, Russia)

According to this Malwr report it drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
203.151.94.120
31.186.99.250
146.185.128.226
185.12.95.40

MD5s:
4287dfb5e191d92f34ae50e190eee214
e481e0a2f853a84c903aea752823e496

Monday, 1 June 2015

Malware spam: "simonharrington@talktalk.net" / "Subject: Emailing: slide1"

This malware spam arrived in my mailbox in a somewhat mangled state.
From:    Simon Harrington [simonharrington@talktalk.net]
Subject: Emailing: slide1
Date: Mon, 01 Jun 2015 19:42:14 +0700
  Instead of having an attachment, it has a Base 64 encoded section like this:

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA
AAAAEAAALAAAAAQAAAD+////AAAAACkAAAB+AAAA////////////////////////////////

As it is, this email is harmless because all the bad stuff needs decoding. Extracing that section and decoding it gives a file named slide1.doc which contains this malicious macro [pastebin].

This macro downloads a malicious component from:

http://irpanet.com/1/09.exe

Which has a VirusTotal detection rate of 7/56.  This Malwr report shows it communicating with the same IPs we saw earlier:

31.186.99.250 (Selectel Network, Russia)
107.170.1.205 (Digital Ocean, US)
146.185.128.226 (Digital Ocean, Netherlands)
144.76.238.214 (Hetzner, Germany)


It also drops the same Dridex DLL we saw earlier, now with a detection rate of 9/56.

Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214

MD5s:
0d02257ec18b92b3c1cf58b8cb6b3d37
cef5555f191735867c34868c346501ad

Incidentally, the email address is a genuine one belonging to a poor chap in Tunbridge Wells  (who has nothing to do with this). I bet his mailbox is completely packed with bouncebacks and responses from confused people..

Malware spam: "Uplata po pon 43421" / "Mirjana Prgomet [mirjana@fokus-medical.hr]"

I have no idea what "Uplata po pon" means, but this spam does come with a malicious attachment:

From:    Mirjana Prgomet [mirjana@fokus-medical.hr]
Date:    20 May 2015 at 08:26
Subject:    Uplata po pon 43421
There is no body text, but the only example I saw had an attachment name of report20520159260[1].doc which contained this malicious macro [pastebin] which downloads a malicious executable from:



http://uvnetwork.ca/1/09.exe


This is saved as %TEMP%\eldshrt1.exe and has a VirusTotal detection rate of 3/56. There are probably other download locations with other variants of the document, but the payload should be the same in each case.



Automated analysis tools [1] [2] [3] indicate network traffic to the following locations:


31.186.99.250 (Selectel Network, Russia)
107.170.1.205 (Digital Ocean, US)
146.185.128.226 (Digital Ocean, Netherlands)
144.76.238.214 (Hetzner, Germany)


The Malwr report shows that it drops a Dridex DLL with a detection rate of 5/53.

Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214

MD5s:
7008675da5c1b0a6b59834d125fafa45
cef5555f191735867c34868c346501ad

Friday, 22 May 2015

Malware spam: "Your Invoice IN278577 from Out of Eden" / "sales@outofeden.co.uk"

This fake invoice does not come from Out of Eden Ltd but is instead a simple forgery leading to malware.

From: sales@outofeden.co.uk [mailto:sales@outofeden.co.uk]
Sent: 22 May 2015 10:50
Subject: Your Invoice IN278577 from Out of Eden

Dear customer,

Thank you for your order. Please find attached a DOC copy of your invoice IN278577 from sales order S391622.

Your order was despatched on 21/05/2015.  Please check the order on delivery and report any shortage, damage or discrepancy within 48 hours from of receipt of this invoice.

If you would prefer to receive a paper invoice or if this email has been sent to the wrong address, please email sales@outofeden.co.uk or call our Customer Service Team on 017683 72939.

Kind Regards,

Customer Services
Tel: 017683 72939
Please consider the environment before printing this email

Out of Eden Ltd
The UK's Most Popular One-Stop-Shop for Hospitality Products www.outofeden.co.uk

Home Farm Buildings, Kirkby Stephen.  CA17 4AP
Tel: 01768 372 939 Fax: 01768 372 636
Email: sales@outofeden.co.uk
VAT no: 621 2326 86
Reg. in England & Wales - Co. No. 3178081
The payload is very similar to the one found in this earlier spam run, the payload appears to be the Dridex banking trojan.

My contact who sent the information about this spam run (thanks!) also sent the following data about the attachments and download locations. I haven't had time to look into it any further.

hxxp://thepattersonco[.]com/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: b15ac324d13f8804959a81172317a4ba

hxxp://www[dot]footingclub[.]com/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: d89c0affa2c1b5eff1bfe55b011bbaa8

hxxp://hci-ca[.]com/85/20.exe/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: 98c3a42b0d958333a4108e04f10d441f

hxxp://www.seedsindaphne[.]org/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: 13dfb8bd543e77453cfd0ab3d586ba77 

hxxp://mercury.powerweave[.]com/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: cf5a5ec18a9031f998a1a3945ca10379


Malware spam: "This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc." / "Australian Taxation Office"

This spam doesn't seem to know if it's from Lloyds Bank or the Australian Tax Office.

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    22 May 2015 at 10:31
Subject:    Remittance Advisory Email


Monday 22 May 2014

This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc.

Please review the details of the payment here.


Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0845 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.
The link in the email goes to a download page at sharefile.com and leads to an archive file FAX_82APL932UN_772.zip containing a malicious executable FAX_82APL932UN_772.scr which has a date stamp of 01/01/2002 (presumably to make it harder to spot).

This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] [4] show that it downloads another file from:

relianceproducts.com/js/p2105us77.exe

This is renamed to csrss_15.exe and has a detection rate of 3/54. It is most likely a component of the Dyre banking trojan.

In addition, this Hybrid Analysis report shows traffic to:

209.15.197.235 (Peer 1, Canada) [relianceproducts.com]
217.23.194.237 (BLICNET, Bosnia and Herzegovina)

Recommended blocklist:
209.15.197.235
217.23.194.237

MD5s:
eb26a6c56b7f85b3257980d0c273c3cf
178a4e3dfa0feea04079592d3113bd2e


Thursday, 21 May 2015

Malware spam: "Travel order confirmation 0300202959" / "overseastravel@caravanclub.co.uk"

This fake booking confirmation (received from a contact - thanks!) does not come from the Caravan Club, but is a simple forgery with a malicious attachment:

From: overseastravel@caravanclub.co.uk [mailto:overseastravel@caravanclub.co.uk]
Sent: 21 May 2015 12:34
Subject: Travel order confirmation 0300202959    
    
Dear Customer,

Thank you for your travel order.

Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.

Now you have booked your trip why not let The Club help you make the most of your stay?

Did you know The Club has a wide selection of travel advice on the website as well as directions to all our overseas sites?

Want some inspiration on more sites across Europe? Take a look at our Caravan Europe Guides.

If you ’’ ve not already taken out holiday insurance why not let The Club give you a Red Pennant quote online .

Yours sincerely    

The Caravan Club
The file in this case is called Travel Order Confirmation - 0300202959.doc, however the payload seems to be identical to the one found in this earlier spam run.

Malware spam: "Invoice# 2976361 Attached" / "PGOMEZ@polyair.co.uk"

So far I have only seen one sample of this. The sender and subject may vary.
From:    PGOMEZ@polyair.co.uk
Date:    21 May 2015 at 08:58
Subject:    Invoice# 2976361 Attached

Invoice Attached - please confirm..


This transmission may contain information that is privileged and strictly confidential.  If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED.

If you received this transmission in error, please contact the sender and delete the material from any computer immediately.  Thank you.

Attached is a malicious file with the no-very-imaginative name 00001.doc [VT 4/56] which contains this malicious macro [pastebin] that downloads a component from the following location:

http://mercury.powerweave.com/72/11.exe

This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57.

Automated analysis tools [1] [2] [3] [4] show attempted communications with the following IPs:

78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)


The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195

MD5s:
f5aee45ce06f6d9f9210ae28545a14c6
56305283d26e66b81afcbcb6f0e9b9b4
015cc26b738d313e5e7aba0c9114670e

Wednesday, 20 May 2015

Malware spam: "Sky.com / Statement of Account" and "Voice Mail / You have a new voice" via volafile.io

These two spam runs attempt to download malware from volafile.io. To give the folks at Volafile credit, all the malware I have seen linked to has been taken down. I suspect that the payload is the Dyre banking trojan.

From:    Sky.com [statement@sky.com]
Date:    20 May 2015 at 12:30
Subject:    Statement of account

Afternoon,

Please find the statement of account, download and view from the link below:

https://dl4.volafile.io/download/8eFEP-cNVEX-Jg/statement_00429117.zip

We look forward to receiving payment for the September invoice as this is now due for payment.

Regards,
Elliot

This email, including attachments, is private and confidential. If you have received this email in error please notify the sender and delete it from your system. Emails are not secure and may contain viruses. No liability can be accepted for viruses that might be transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members: Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP.


======================

From:    Voice Mail [Voice.Mail@victimdomain]
Date:    20 May 2015 at 12:11
Subject:    You have a new voice

You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.

* The reference number for this message is _qvs5419167125_001

The transmission length was 41
Receiving machine ID : BA9R-DUQUC-TY7T

To download and listen your voice mail please follow the link below: https://dl3.volafile.io/download/rnTYPuYNVEX6Jw/statement_00429114.zip

The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.
volafile.io is a pretty uncommon place to share files, so it might be worth looking at your traffic to see if there have been any unexpected requests to that site.


Tuesday, 19 May 2015

Malware spam: "Australian Taxation Office [noreply@ato.gov.au]" / "eFax message - 2 page(s)"

Apparently the Australian Taxation Office thinks I have a fax.. or perhaps it is something more sinister?

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    19 May 2015 at 12:48
Subject:    eFax message - 2 page(s)

Fax Message [Caller-ID: 408-342-0521]
You have received a 2 pages fax at 2015-05-19 08:18:16 AM EST.

* The reference number for this fax is
min2_did16-0884196800-3877504043-49.

View this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!

Predictably, the link leads to a malicious download (this time at storage-ec2-24.sharefile.com) named Fax_00491175.zip and containing in turn a malicious executable Fax_00491175.scr.

This executable has a detection rate of 5/57. Automated analysis tools [1] [2] [3] shows that it downloads a further component from:

http://employmentrisk.com/images/1405uk77.exe

In turn, this has a detection rate of 4/57 and the Hybrid Analysis report indicates that it tries to communicate with 194.28.190.183 (AgaNet Agata Goleniewska, Poland).

Recommended blocklist:
employmentrisk.com
194.28.190.183

MD5s:
a6aa82995f4cb2bd29cdddedd3572461
b3b483c10d4f7eacd7cfa42f604968f8

Monday, 18 May 2015

Malware spam: "Your reasoning stands in need" / "Have a need in your thought" / "In want of your concern"

This fake financial spam run is similar to this one last week, and comes with a malicious attachment.

From:    Aida Curry
Date:    18 May 2015 at 11:40
Subject:    Your reasoning stands in need

Good Afternoon,
We have attained a reimbursement from you for the draft of £ 2909. Please would you secure me with a remittance, in order for me to reconcile the statement.
I will be sending you a pronouncing of outstanding invoices tomorrow, the entire quantum of outstanding is £ 5893 less the 1 draft received making a whole outstanding of £ 2984. We would very much appreciate settlement of this.
As previously mentioned we reversed to a limited company on 1st December 2014. We are desire to conclude all the old checks down, for both tax and year end reasons. We would be very grateful in your assistance in eliciting the outstanding.
If you need any application of bills please do not hesitate to contact us
Regards,
Aida Curry

-------------------

From:    Cornelius Douglas
Date:    18 May 2015 at 11:39
Subject:    Your reasoning stands in need

Good morning
Please find attached   a remittance advice, relating to a outpayment made to you.
Many thanks
Regards,
Cornelius Douglas
Seniour Finance Assistant

-------------------

From:    Jewell Shepard
Date:    18 May 2015 at 11:37
Subject:    Have a need in your thought

Please, see the attached similar of the remittance.
Please, can you remit a revised pronouncing so we can settle any outstanding balances.
Kind Regards,
Jewell Shepard
Subjects spotted so far are:
In want of your concern
Your reasoning stands in need
Have a need in your thought
Vital announcement 561335
Your advertence stands in need
Grand advert 482209
Important notice 540897
In want of your regarding
In want of your concern
Your reasoning stands in need
Wish to know your thought
Your cognizance is in great necessity
Need your consideration

There seem to be several different attachments, but for the sake of simplicity I have looked at just one. The Hybrid Analysis report shows this this is a MIME attachment that downloads and executes a script from pastebin[.]com/download.php?i=C5KGsRX3 which in turn downloads a malicious executable from  193.26.217[.]220:80/bt/get3.php (Servachok LTD, Russia) which is saved as crypted.120.exe.

This executable has a VirusTotal detection rate of 4/57. The Malwr and Hybrid Analysis reports indicates traffic to 5.63.154.228 (Reg.Ru, Russia) and also shows a dropped Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
5.63.154.228
193.26.217.220

MD5s (executable):
af15ba558c07f8036612692122992aad
0074fdc06f8b1da04c71feb249e546dc

Wednesday, 13 May 2015

Malware spam: "Need your attention,''Important notice" / "Financial information" / "Important information"

This mix of spam messages come with a malicious attachment:

From:    Johnny Higgins [JohnnyHigginsyb@mail.whitsoncm.com]
To:    "it-dept@victimdomain"
Date:    13 May 2015 at 11:39
Subject:    Need your attention,''Important notice

Good Afternoon,

We have received a payment from you for the sum of £ 686.  Please would you provide me with a remittance, in order for me to reconcile the statement.

I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1564  less the £3254.00 received making a total outstanding of £ 878.  We would very much appreciate settlement of this.

As previously mentioned, we changed entity to a limited company on 1st December 2014.  We are keen to close all the old accounts down, for both tax and year end reasons.  We would be very grateful in your assistance in settling the outstanding.

If you need any copy invoices please do not hesitate to contact us

Regards,

Johnny Higgins

--------------------------

From:    Rowena Mcconnell [RowenaMcconnellev@telemar.it]
To:    tedwards@victimdomain
Date:    13 May 2015 at 11:38
Subject:    Financial information

Good Afternoon,

Please see attached the copy of the remittance.

Please can you send a revised statement so we can settle any outstanding balances.

Kind Regards,

Rowena Mcconnell

--------------------------

From:    Jimmie Cooley [JimmieCooleyzils@fsband.net]
To:    server@victimdomain
Date:    13 May 2015 at 11:34
Subject:    Important information

Good morning

Please find attached a remittance advice, relating to a payment made to you.

Many thanks

Regards,

Jimmie Cooley
Seniour Finance Assistant

Each attachment is slightly different, but does contain the name of the recipient plus a random number (e.g. it-dept_0E78A3A5700B.doc). The payload is meant to be a multi-part MIME file, but many are corrupt and are either Base 64 encoded or are "404 Not Found" files.

If the file is correctly format, it should behave similarly to this Hybrid Analysis report, which says that it connects to several different IPs, but crucially also it downloads a malicious executable from 91.226.93[.]110/bt/get1.php (Sobis, Russia) and saves it as crypted.120.exe.

This malicious executable has a detection rate of 2/56 and the Malwr report says that it communicates with 46.36.217.227 (FastVPS, Estonia) and drops a Dridex DLL with a detection rate of 22/56.

Recommended blocklist:
46.36.217.227
91.226.93.110

MD5s:
9afecfaa484c66f2dd11f2d7e9dc4816
d2f825ecfb3d979950b9de92cbe29286



Tuesday, 12 May 2015

Malware spam: "ATTN: Outstanding Invoices - [4697E0] [April|May]"

This spam comes with random senders and reference numbers, but in all cases includes a malicious attachment:

From:    Debbie Barrett
Date:    12 May 2015 at 11:14
Subject:    ATTN: Outstanding Invoices - [4697E0] [April|May]

Dear anthony,

Kindly find attached our reminder and copy of the relevant invoices.
Looking forward to receive your prompt payment and thank you in advance.

Kind regards
The attachment name combines the recipient's email address with the fake reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools manages to analyse it though, showing several steps in the infection chain.

First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu

Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.

This component then connects to 46.36.217.227 (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56.

There are several different attachments, so far I have seen the following MD5s:
110B42E097A7677A993CF1B3B24743D8
20AEB9ECEBC26B3CDE960728E890F904
33A8CBE7B75B20B5EA1069E3E2A13D80
3973E29F7BDC7903FFCB596B10F9FD54
7019D711AE0E2FEDEE25EAA3341CFB7F
949816F4DF724E690690B3C8AD3871D4
9CDEFFBAC7B79302D309404E6F3068C4
B5C2393D44D8E0C94D04E2D159AE8776
B84D52F59AEC53B8D7FA109D256FCB6B
CA5E8A531A8EE24B15FC7B2A66502042
E99216D829C632DF24ECAD9162AF654C
EC1AD4316DBA799EF2E2440E715CD5F5
F4B5B0AE85F27E0A475BD359F5BE76E8
F666682D638FE67607DD189705844AD5

The MD5s for the malware components are:
DD7ADC5B140835DC22F6C95694F9C015
9AFECFAA484C66F2DD11F2D7E9DC4816
838F0A8D3FCBD0DDB2F8E8D236D17957

Recommended blocklist:
92.63.88.0/24
46.36.217.227


Malware spam: "Copy of your 123-reg invoice ( 123-015309323 )" / "no-reply@123-reg.co.uk"

This fake invoice is not from 123-reg, but is instead a simple forgery with a malicious attachment:

From:    no-reply@123-reg.co.uk
Date:    12 May 2015 at 10:17
Subject:    Copy of your 123-reg invoice ( 123-015309323 )

Hi,

Thank you for your order.

Please find attached to this email a receipt for this payment.

Help and support

If you are still stuck why not contact our support team? Simply visit our 123-reg Support Centre and click on the Ask a Question tab.

Thank you for choosing 123-reg.

The 123-reg team.

https://www.123-reg.co.uk
About us | Privacy policy
© Copyright 123-reg - Part of Webfusion Ltd

Webfusion Ltd is a company registered in England and Wales with company number 05306504. Our VAT number is 927 1292 22. The address of our registered office is: 5 Roundwood Avenue, Stockley Park, Uxbridge, Middlesex, UB11 1FF.
Attached is a Word document 123-reg-invoice.doc which contains a malicious macro [pastebin] and has a detection rate of 5/57. There may be several different versions of this macro, but the sample I saw downloaded a file from:

http://fosteringmemories.com/432/77.exe

..which is saved as %TEMP%\ihmail4.1.0.exe and has a VirusTotal detection rate of 5/56. Automated analysis tools [1] [2] [3] show it phoning home to the following IPs:

37.143.15.116 (Internet-Hosting Ltd, Russia)
62.152.36.90 (Host Telecom Net, Russia)
89.28.83.228 (StarNet SRL, Moldova)
185.15.185.201 (Colobridge gmbh, Germany)


According to this Malwr report it also drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
37.143.15.116
62.152.36.90
89.28.83.228
185.15.185.201

MD5s:
3fcc933847779784ece1c1f8ca0cb8e4
3540c517132a8a4cd543086270363447
0bb376ba96868461ffa04dd70dc41342


Monday, 11 May 2015

Malware spam: "Payment details and copy of purchase [TU9012PM-UKY]"

I haven't really had time to analyse this, so I am using the analysis of an anonymous source (thank you)..

From:    Kristina Preston [Kerry.df@qslp.com]
Date:    11 May 2015 at 12:56
Subject:    Payment details and copy of purchase [TU9012PM-UKY]

Dear [redacted]

On 08/05/15 you have requested full payment details and copy of purchase. Please refer to document in the attachment.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Kristina Preston
Brewin Dolphin
The names and references change between different versions, but in all cases there is a malicious DOC file attached. This DOC has an unusual structure in that it is a some sort of MIME file containing a mixture of HTML and Base64-encoded segments.

My source has analysed that this downloads a VBS file from Pastebin at pastebin[.]com/download.php?i=FsYQqTaj which then downloads some sort of .NET binary from 91.226.93[.]14:8080/stat/get.php (Sobis, Russia)

This binary has a detection rate of 2/56 and according to automated analysis tools [1] [2] it communicates with:

46.36.217.227 (FastVPS, Estonia)

It also drops a DLL with an MD5 of f0d261147d2696253ab893af3d125f53 and a detection rate of 1/56.

Recommended blocklist:
46.36.217.227
91.226.93.14

Wednesday, 6 May 2015

Malware spam: "Email from Transport for London" / "noresponse@cclondon.com"

This spam does not come from Transport for London, but is instead a simple forgery with a malicious attachment.

From:    noresponse@cclondon.com
Date:    6 May 2015 at 12:44
Subject:    Email from Transport for London


Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in DOC format you may need Microsoft Word to
read or download this attachment.


Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is prohibited. If you have received this email in error please notify the sender immediately by email and then permanently delete the email.
______________________________________________________________________

So far I have seen four different versions of the malicious Word document AP0210780545.doc, all with low detection rates [1] [2] [3] [4] containing various macros [1] [2] [3] [4]. These attempt to download an executable from one of the following locations:

http://jkw-sc.com/111/46.exe
http://aimclickbang.com/111/46.exe
http://www.haunersdorf.de/111/46.exe
http://volpefurniture.com/111/46.exe


This file is saved as %TEMP%\wiley5.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show attempted network traffic to:


62.152.36.90 (Filanco Ltd, Russia)
89.28.83.228 (StarNet, Moldova)
185.12.95.191 (RuWeb CJSC, Russia)
185.15.185.201 (Colobridge, Germany)


This Malwr report shows that it drops a Dridex DLL with a detection rate of 4/56.

Recommended blocklist:
62.152.36.90
89.28.83.228
185.12.95.191
185.15.185.201


MD5s:
412ce577521a560459cd711f5966caf4
997bafa825426a3456625983878cb5df
bab231ddf87a24dd81638483f209d238
a49a337f1189dd139499a102b635c918
079f0c588769f6961d888614cf140812
03f9a963fefffc4b97b880a8c4ad208b

Thursday, 30 April 2015

Nepal Earthquake scam: savenepal.org

I was tipped off to this site by a contact, but it appears that there are some particularly dispicable scammers who have registered a fake website called savenepal.org which is soliciting donations via PayPal.

The site largely cloned from the legitimate ActionAid site which is genuinely seeking donations to go to Nepal.

ActionAid is "Registered charity no 274467" (it says so on the bottom of the page). SaveNepal.org claims to be "Registered charity no 276187", but we can check at the UK charities commission and we can see that the charity with this number is actually an orchestra.


Clicking "Donate" on the scam site leads to PayPal. It doesn't give much of a clue about the ownership of the fake site:


The WHOIS details for the domain are hidden using WhoIsGuard. These other sites appear to be live on the same server:

com-indexhtml.link
com-indexhtml.us
grantsekit.com

Out of these, only com-indexhtml.us has a non-anonymous WHOIS entry:

Registrant ID:                               C4E83B25FA8AD52D
Registrant Name:                             Frank J. Moore
Registrant Address1:                         2441 Byers Lane
Registrant City:                             Davis
Registrant State/Province:                   CA
Registrant Postal Code:                      95616
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.5307574940
Registrant Email:                            uscustomerhelp@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12


I'm pretty sure that those contact details are fake. Going back through historical WHOIS comes up with different contact details:

Registrant ID:                               29B0B5BBD7190398
Registrant Name:                             dinna  james
Registrant Address1:                         po box 876
Registrant City:                             dl
Registrant State/Province:                   dl
Registrant Postal Code:                      110098
Registrant Country:                          India
Registrant Country Code:                     IN
Registrant Phone Number:                     +1.918978978
Registrant Email:                            helpot80@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12


Of course, these contact details could also be false and there's no definite connection to savenepal.org yet. But out of curiosity, who is helpot80@gmail.com?  Googling doesn't reveal much, but it does show a copy of a conversation in the news.admin.net-abuse.email where someone who is claiming to use this email address is complaining about spam. If we then use Google Groups to find the original newsgroup post we see it was posted from an IP of 182.68.85.242 which is a dynamic Bharti Airtel IP in India, which does at least match the country in the WHOIS details.

Another Google result is this Phishtank entry listing social2013.com/rockgrade/ which appears to be a copy of the Rock Grade Management scam site I covered way back in 2011, indicating that perhaps these two scams are related. helpot80@gmail.com was listed as the owner of social2013.com before it expired in February 2015.

This WHOISology report links the address to several domains:

beauty6k.com
social2013.com
droughty.com
auto36.us
secure2013.us

Also, 94.242.255.129 has hosted many other domains, many of which appear to be scammy.

com-13.pw
com-21.us
com-indexhtml.us
news7d.com
mynews360.com
grantsekit.com
social2013.com
secured2014.com
usgrantskit.com
savenepal.org
com-indexhtml.link
huffingtonpost.com-indexhtml.link
dear.graphics

Many of these have the helpot80@gmail.com address listed in their historical WHOIS entries.

What else can we find out?

The email address is connected with this scammy looking Facebook page allegedly giving away "free laptops"



The email address also links to this Google+ profile naming them as "N. Al.". It also links to this YouTube channel with a single video about Payoneer. These Profiles indicate that helpot80@gmail.com has an interest in affiliate marketing, an activity with a mixed reputation.

I cannot prove that helpot80@gmail.com is connected with the savenepal.org, but they probably know whoever is behind it.

Remember, if you want to donate to ANY disaster charity, it is worth checking very carefully that you are dealing with the real thing and not a bunch of scammers.

Malware spam: "Rebecca McDonnell [rebecca@gascylindersuk.co.uk]" / "Telephone order form"

This fake financial email is not from Gas Cylinders UK but is instead a simple forgery with a malicious attachment.

From:    Rebecca McDonnell [rebecca@gascylindersuk.co.uk]
Date:    30 April 2015 at 09:54
Subject:    Telephone order form

Telephone order form attached
Regards,

Rebecca McDonnell
Business Administrator

340a Haydock Lane, Haydock Industrial Estate,
St Helens, Merseyside, WA11 9UY
DDI:  01744 304338
Fax: 01942 275 312
Email: rebecca@gascylindersuk.co.uk


***** D i s c l a i m e r *****

This e-mail message is confidential and may contain legally privileged information. If you are not the intended recipient you should not read, copy, distribute, disclose or otherwise use the information in this e-mail.  Please also telephone us on 0800 622 6330, immediately and delete the message from your system. E-mail may be susceptible to data corruption, interception and unauthorised amendment, and we do not accept liability for such corruption, interception or amendment or the consequences thereof.
There is a malicious Word document attached with the name TELEPHONE PURCHASE ORDER FORM.doc which probably comes in a few different variants, but the one I saw had a VirusTotal detection rate of 4/56 and contained this malicious macro [pastebin] which downloaded a component from the following location:

http://morristonrfcmalechoir.org/143/368.exe

This is saved as %TEMP%\serebok2.exe and has detection rate of 8/56. Analysis tools are a bit patchy today, but the VirusTotal report indicates traffic to:

212.227.89.182 (1&1, Germany)

The Malwr report reported a dropped Dridex DLL with a detection rate of 3/55.


Wednesday, 29 April 2015

cnwebregistry.cn / chinaygregistry.com scam and "Huayu Ltd"

This spam email is actually part of a long-running Chinese scam.

From:    Jim Bing [jim.bing@cnwebregistry.cn]
Date:    29 April 2015 at 14:27
Subject:    Re:"[redacted]"

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.
We received an application from Huayu Ltd on April 27, 2015. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cnwebregistry.cn
Whoever "Huayu Ltd" are is irrelevant, as they aren't actually interested in registering these domains, even if they exist. Instead, this is an attempt by a rogue Chinese domain registrar to get you to buy overpriced and worthless domains.

In this case the spam mentions the domain cnwebregistry.cn, but chinaygregistry.com is also on the same server and will be similarly fraudulent.

This video I made a while ago explains the scam in more detail: